Open renovate[bot] opened 4 months ago
Name | Link |
---|---|
Latest commit | ebdddf0ef527213c1f814a6fee4296b3306802a0 |
Latest deploy log | https://app.netlify.com/sites/celo-composer/deploys/665ee82d2b1e74000839f8e8 |
Deploy Preview | https://deploy-preview-279--celo-composer.netlify.app |
Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify site configuration.
Removed dependencies detected. Learn more about Socket for GitHub โ๏ธ
๐ฎ Removed packages: npm/postcss@8.4.23
This PR contains the following updates:
8.4.23
->8.4.31
^8.4.12
->^8.4.31
PostCSS line return parsing error
CVE-2023-44270 / GHSA-7fh5-64p2-3v2j
More information
#### Details An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\r` discrepancies, as demonstrated by `@font-face{ font:(\r/*);}` in a rule. This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2023-44270](https://nvd.nist.gov/vuln/detail/CVE-2023-44270) - [https://github.com/github/advisory-database/issues/2820](https://togithub.com/github/advisory-database/issues/2820) - [https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5](https://togithub.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5) - [https://github.com/postcss/postcss](https://togithub.com/postcss/postcss) - [https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25](https://togithub.com/postcss/postcss/blob/main/lib/tokenize.js#L25) - [https://github.com/postcss/postcss/releases/tag/8.4.31](https://togithub.com/postcss/postcss/releases/tag/8.4.31) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-7fh5-64p2-3v2j) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
postcss/postcss (postcss)
### [`v8.4.31`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8431) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.30...8.4.31) - Fixed `\r` parsing to fix CVE-2023-44270. ### [`v8.4.30`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8430) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.29...8.4.30) - Improved source map performance (by Romain Menke). ### [`v8.4.29`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8429) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.28...8.4.29) - Fixed `Node#source.offset` (by Ido Rosenthal). - Fixed docs (by Christian Oliff). ### [`v8.4.28`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8428) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.27...8.4.28) - Fixed `Root.source.end` for better source map (by Romain Menke). - Fixed `Result.root` types when `process()` has no parser. ### [`v8.4.27`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8427) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.26...8.4.27) - Fixed `Container` clone methods types. ### [`v8.4.26`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8426) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.25...8.4.26) - Fixed clone methods types. ### [`v8.4.25`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8425) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.24...8.4.25) - Improve stringify performance (by Romain Menke). - Fixed docs (by [@vikaskaliramna07](https://togithub.com/vikaskaliramna07)). ### [`v8.4.24`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8424) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.23...8.4.24) - Fixed `Plugin` types.Configuration
๐ Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
๐ฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.
โป Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
๐ Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate. View repository job log here.